fix: github workflow vulnerable to script injection (#2600)

* fix: github workflow vulnerable to script injection Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * inline forked repo check * Update hermetic_library_generation.yaml * remove unnecessary variable evaluation token * fix wording --------- Signed-off-by: Diogo Teles Sant'Anna <[email protected]> Co-authored-by: Diego Marquez <[email protected]>
googleapis · Aug 20, 2024 · 9ce25b6 · 9ce25b6
1 parent f1407bb
commit 9ce25b6
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml
@@ -17,10 +17,14 @@ name: Hermetic library generation upon generation config change through pull req
 on:
   pull_request:
 
+env:
+  HEAD_REF: ${{ github.head_ref }}
+  REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+
 jobs:
   library_generation:
-    # skip pull requests come from a forked repository
-    if: github.event.pull_request.head.repo.full_name == github.repository
+    # skip pull requests coming from a forked repository    
+    if: github.env.REPO_FULL_NAME == github.repository
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -35,6 +39,6 @@ jobs:
         [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
         bash .github/scripts/hermetic_library_generation.sh \
           --target_branch ${{ github.base_ref }} \
-          --current_branch ${{ github.head_ref }}
+          --current_branch $HEAD_REF
       env:
         GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }}